AWS Certified SysOps Administrator – Associate — Question 414

A company is using an AWS KMS customer master key (CMK) with imported key material. The company references the CMK by its alias in the Java application to encrypt data. The CMK must be rotated every 6 months.
What is the process to rotate the key?

Answer options

• A. Enable automatic key rotation for the CMK, and specify a period of 6 months.
• B. Create a new CMK with new imported material, and update the key alias to point to the new CMK.
• C. Delete the current key material, and import new material into the existing CMK.
• D. Import a copy of the existing key material into a new CMK as a backup, and set the rotation schedule for 6 months.

Correct answer: B

Explanation

AWS KMS does not support automatic key rotation for CMKs that use imported key material, which rules out options A and D. To rotate these keys, you must manually create a new CMK with new imported material and update the alias to point to the new CMK. Deleting and replacing key material within the same CMK is not allowed as a CMK is permanently bound to its original key material.